On Mon, Jul 20, 2015 at 09:51:28AM +0000, mlist wrote: > Hi Willy > > >> Hi Baptiste, as you can see using prefix or sticky table we found this > >> invalid cookie problem. > >> > >> - Why without haproxy in the middle we do not have this problem ? why a > >> browser send an INVALID cookie ? > > >Because it learned it another way, maybe before you installed haproxy, > >maybe on a direct connection or anything. > > I'm sure enough this is not the case. After we get this behavior, we cleaned > all cookies. After some testing passing only by haproxy for these domain, we > get the problem again, with Chrome and with IE.
OK, interesting. > >> - How we can match absence of prefix ? can be done directly by haproxy ? > > > I think haproxy should fix it, yes, otherwise it can continue this way > > forever. That said, it *will* break existing sessions, but if haproxy > > applies load balancing, such session will be broken as well. > > > What version is this, 1.6-dev or 1.5 ? > > What do you mean with: "it *will* break existing sessions" ? if we load > balance web application with haproxy, session coming in must have a cookie > inserted/prefixed by haproxy, I'm wrong ? if so any request with an Invalid > cookie is INVALID :D so no session will be broken... What I mean is that if the cookie is invalid, haproxy cannot use the cookie to decide what server to send the request to, so it will pick one server in the farm which is not necessarily the right one (in fact it has a (N-1)/N chance of picking a wrong one in a farm of N servers). That's why I think that haproxy should fix this when this happens. Most likely the problem is that once a wrong cookie flows from the client to the server, the server will not emit this cookie anymore so no prefixing will occur. For this reason I think that we should remove the invalid cookies from the requests when running in prefix mode. In order to know exactly how the situation happened, you'll need to look through all the logs affecting the client which exhibited the problem. The cookie flags will indicate when the cookie was inserted/prefixed, present or valid/invalid etc... And maybe we'll find what produces this situation. It is also possible that the cookie is built by the application using javascript. > We compiled from source "HA-Proxy version 1.6-dev2-25f4e3e 2015/07/10" OK thanks. Do you know if 1.5 also produces the same problem ? It could be a regression, though I don't remember that we ever touched that area recently. Willy
